NOTE: Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA

By Danielle E. Sunberg | 62 Am. U. L. Rev. 1417 (2013)

On January 2, 2013, the Supreme Court dismissed the petition for writ of certiorari in WEC Carolina Energy Solutions LLC v. Miller, leaving unresolved the vexing question of employee liability under the Computer Fraud and Abuse Act (CFAA). The case involved Mike Miller, former Project Director for WEC Carolina Energy Solutions (WEC), who used WEC’s proprietary information to benefit a competing business. WEC permitted Miller to access the company’s confidential and trade secret documents stored on his employer-provided laptop computer. On April 30, 2010, only twenty days after resigning from his position with WEC, Miller used the confidential information to make a pitch to a potential

client on behalf of a competitor, Arc Energy Services, Inc. (Arc). Arc won the client’s business, and WEC sued Miller and another participating colleague, asserting nine state-law charges as well as several violations of the CFAA.

The CFAA, codified at 18 U.S.C. § 1030, is the nation’s first and leading cybercrime statute. The statute grants employers a private right of action to hold employees liable for accessing a company computer “without authorization” or for “exceeding authorized access.” Penalizing this conduct grows more imperative: a 2009 study conducted by the Ponemon Institute revealed that six out of every ten departing employees steal company data and described this figure as a growing problem of “malicious insiders.” Unsurprisingly, following this expansion in the computerprotection statute, employers have increasingly used the CFAA as a means to hold rogue employees accountable for using information obtained from a company computer in a manner that conflicts with the employer’s interests.

WEC attempted to hold Miller liable under the CFAA precisely for his misuse of the company’s confidential data. The Fourth Circuit affirmed that WEC failed to file a viable claim under the CFAA because WEC did not “allege that Miller . . . accessed a computer or information on a computer without authorization.” This decision exacerbates the existing circuit split with respect to applying the CFAA to the employer-employee context. The Fourth Circuit aligns itself with the Ninth Circuit, which has adopted the narrow code approach to interpreting employee liability under the CFAA. In contrast, the Fifth, Seventh, and Eleventh Circuits have embraced a broader and more employer-friendly approach. The widening division among the circuits creates enormous problems for employers, as the CFAA’s mandate directly affects what types of employee actions are culpable and what computer authorization protections the employer must implement to protect against intellectual property theft. Many scholars and commentators hoped that the Supreme Court would grant writ of certiorari to hear WEC and thus provide guidance to employers and unify the courts. Such resolution, however, remains elusive—on January 2, 2013,the Court dismissed WEC’s petition for certiorari. In the midst of the jurisprudential confusion, Congress seeks to amend the CFAA to mitigate some of the statutory interpretation issues at the heart of the circuit split. In the wake of the Supreme Court’s dismissal of WEC, this Note explores the deepening circuit split that has engulfed the debate over employee liability under the CFAA as well as the potential future developments of the CFAA.